05000400/FIN-2013002-03
From kanterella
Jump to navigation
Jump to search
Finding | |
---|---|
Title | Solid State Protection System Digital Modification |
Description | The inspectors identified an unresolved item (URI) associated with the licensees implementation of a digital modification to the solid state protection system (SSPS) logic and control boards. This item remains unresolved pending NRC staff review of additional information to determine if the change could have been performed under a 10 CFR 50.59 evaluation and whether it should have been submitted to the NRC for prior approval. The SSPS logic and control boards provide the coincidence logic to produce actuation signals for operation of the reactor protection system (RPS) and the engineered safety features actuation systems (ESFAS). Engineering change 78484, Replace SSPS Boards with new Westinghouse Design Boards, Rev. 6, examined a digital modification to the existing SSPS logic and control boards. The original boards used fixed logic devices (transistor-transistor logic devices) whereas the replacement boards use reprogrammable logic devices (complex programmable logic devices (CPLDs)). The licensee performed a 10 CFR 50.59 Screening (AR 537776) using procedure REG-NGGC-0010, 10 CFR 50.59 and Selected Regulatory Reviews, Rev. 18. The procedure used the guidance in NEI 96-07, Guidelines for 10 CFR 50.59 Implementation, Rev. 1, as supplemented by NEI 01-01, Guidelines on Licensing Digital Upgrades, Rev. 1, to evaluate the design and implementation of digital modifications to instrumentation and control systems under 10 CFR 50.59. The licensees screening indicated (in summary) that the new design boards performed the same functions and were functionally tested; therefore, did not adversely affect the SSPS design bases functions previously evaluated in the UFSAR. The screening further determined the modification could be implemented without a more detailed 10 CFR 50.59 evaluation. The inspectors reviewed the screening using the licensees procedural guidance and determined the modification adversely affected the SSPS design functions described in the UFSAR because: (1) The response times of the new design boards were slower. Section 4.3.3 of NEI 01-01, Other Digital Issues in the Screening Process, indicates that performance changes from UFSAR described requirements (i.e. response time) should be screened in and require further evaluation under 10 CFR 50.59. (2) Human System Interface (HIS) features (i.e. dip switches, RS-232 communication ports, and indicating light-emitting diodes or LED) were added. Section 4.3.4 of NEI 01-01, Screening Human System Interface Changes, indicates that changes that create new potentional failure modes in the interaction of operators and maintenance personal with the system should be further evaluated for the potential increase in the likelihood of malfunctions. (3) The new boards were loaded with a data file (which NEI 01-01 defines as a type of base software) that configures the CPLD logic. Section 4.3.2 of NEI 01- 01 Software Considerations, indicates that digital modifications that involve the use of software applications should be conservatively treated as an adverse effect (requiring evaluation under 10 CFR 50.59) due to the potential introduction of new failure modes (software based failures, including Common Cause Failures (CCF)) not previously evaluated in the UFSAR, especially when modifications involve redundant high risk safety systems (i.e. RPS.ESFAS) In response to the inspectors questions, the licensee performed a 10 CFR 50.59 evaluation (AR #588797) and determined the change could be implemented without prior NRC review and approval. The licensee indicated that (1) the new boards still met the response time requirements for the SSPS as described in the UFSAR, (2) the HIS vulnerabilities were mitigated by configuration at the vendor facility, and (3) the CPLDs were not software-based and that the data files were simple logic files that were fully tested, verified, and validated to operated as expected. The licensee asserted that the development and quality assurance processes used, including design, verification & validation, and configuration control mitigated any potential increase in the likelihood of malfunctions due to software (or embedded data file) (10 CFR 50.59 criteria (c)(2)(ii)). The licensee also compared the hardware functional testing performed by the vendor with criteria in Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer-Based I&C Systems, Rev. 6, section 1.9, to show that software CCFs required no further evaluation. Specifically, the licensee indicated that the functional testing for the boards was adequate for 100 percent testing for every possible combination of inputs and every possible sequence of device states were tested and all outputs were verified on the boards (and embedded software) to eliminate consideration of software based CCF. Based on this testing, the licensee concluded that the use of software did not create a possibility of malfunctions of the SSPS with a different result than previously evaluated in the UFSAR (10 CFR 50.59 criteria (c)(2)(vi)). After reviewing the 10 CFR 50.59 evaluation, the inspectors found that they did not have sufficient information to determine that NRC review and approval was not required prior to implementation of the modification. Specifically, the inspectors could not verify the licensees conclusions regarding the software reliability and the simplicity and testing of the new boards. Because the licensee claimed that the CPLDs were not softwarebased, the licensee did not address the software development processes described in NEI 01-01, section 5.3.3, Digital System Quality. Specifically, the inspectors noted that second and third party commercial vendors were involved in the manufacturing of the CPLDs and development of the base software data-file without a quality software development process as addressed in NEI 01-01. In addition, because of the licensees claim that the CPLDs were not software-based, the licensee excluded the possibility of software CCF as addressed in NEI 01-01, section 3.2.2, Software Common Cause Failure. The inspectors concluded that software CCF of the SSPS could introduce new failure modes not previously analyzed in the UFSAR. With respect to the simplicity and testing of the SSPS boards, the inspectors questioned the simplicity of the boards and the appropriateness of using testing to rule out consideration of CCFs. In addition, the testing performed by the licensee did not meet the guidance in BTP 7-19. The inspectors also concluded that the HSI features added to the SSPS boards provided additional risk of failures not associated with the original SSPS boards when used by operators and maintenance personnel. In order to determine if the change could have been performed under a 10 CFR 50.59 evaluation and whether it should have been submitted to the NRC for prior approval, this issue remains unresolved pending NRC staff review of additional information to be provided by the licensee to address the issues described above. This issue is being tracked as URI 05000400/2013002-03, Solid State Protection System Digital Modification. |
Site: | Harris |
---|---|
Report | IR 05000400/2013002 Section 1R17 |
Date counted | Mar 31, 2013 (2013Q1) |
Type: | URI: |
cornerstone | Mitigating Systems |
Identified by: | NRC identified |
Inspection Procedure: | IP 71111.17 |
Inspectors (proximate) | A Alen A Goldau D Mas Penaranda J Austin J Eargle M Meeks P Lessard R Musser T Fanellia Alenr Nease T Fanelli |
INPO aspect | |
' | |
Finding - Harris - IR 05000400/2013002 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Finding List (Harris) @ 2013Q1
Self-Identified List (Harris)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||